Monday, 20 January 2014

Clear or crummy cookie practice?

Every now and again, I stumble across a new website and take
a quick squint at the cookie policy.
Don’t worry - it’s not something that is of
any interest to me in my real life. But, for professional reasons, I do like to
see how the webmaster has addressed the issues that were under such intense scrutiny
a couple of years ago. (Oh, how time flies.)

I recently came across a site advertising a conference, to
be held in April, on smart cities.

The first thing I noticed was the cookie banner, proclaiming:
“We have published a new cookie policy. It explains what cookies are and how we
use them on this site. To learn more about cookies and their benefits, please
view our cookie policy. If you’d like to disable cookies on this device, please
view our cookie policy for information on how to manage cookies. Please be
aware that parts of the site will not function correctly if you disable
cookies. By closing this message, you consent to our use of cookies on this
device in accordance with our cookie policy unless you have disabled them.”

That’s right. This time you get four separate links to the same
cookie policy in the four lines of text.

The cookie policy, should the reader click onto it, is a page
that contains a bunch of quite accessible information, including a plain English
explanation of the each of the 19 cookies that are loaded, and how long they remain.
One cookie expires after 10 years, others expire at the end of the browsing
session. But at least the webmaster knows what cookies are set, and when they
expire.

I just hope the webmaster take as much care reviewing the website
to make sure new explanations are added when new cookies are introduced, as
they evidently did when creating the original text.

I did chuckle when I
read the relevant cookie explanation on Informa’s main website, which explains
that: "Websites are now required by law to gain your consent before applying cookies. We use cookies to improve your browsing experience. Parts of the website may not work as expected without them By closing or ignoring this message, you are consenting to our use of cookies."

So, according to Informa, ignoring a message is taken as consenting to the relevant processing,

Another instance, like my last blog post, where the data controller is adamant that silence can be taken as consent.

I must admit that I'm more comfortable with the previous example, with the NHS taking my silence as consent, than I am with Informa's stance. Informa should require the visitor to its website to do something more than just ignore a message to assume consent - I would have preferred an explanation along the lines of: By closing this message or remaining on this website, you are consenting to our use of cookies."

But then again, I'm just being pedantic. How many people really do click through cookie banners and actually read the policies, anyway?

About Me

I'm Martin Hoskins, and I write this blog to offer somewhat of an irreverent approach to data protection issues. I'm not one of the "high priests" of data protection. I prefer the principles of transparency, fairness, practicality and risk-assessment over tedious technical dogma. In my view, when the law is unfair or impractical, it should be queried.
While I may, occasionally, gently criticise various organisations with which I am or have been associated, I write here in an entirely personal capacity. My comments should never be taken to represent anyone else's views about any of the pressing issues of the day.
There is a much more serious side to my privacy consulting work, but for that you'll need to contact me at Grant Thornton UK LLP, where I'm an Associate Director, leading the UK privacy practice.
I tweet as @DataProtector.
You can contact me at:
martin.c.hoskins@uk.gt.com, or (with respect to my less serious posts) info@martinhoskins.com.